IntuneEpmElevationRulesPolicyWindows10¶
Parameters¶
| Parameter | Attribute | DataType | Description | Allowed Values |
|---|---|---|---|---|
| Description | Write | String | Policy description | |
| DisplayName | Key | String | Policy name | |
| RoleScopeTagIds | Write | StringArray[] | List of Scope Tags for this Entity instance. | |
| Id | Write | String | The unique identifier for an entity. Read-only. | |
| ElevationRuleName | Write | MSFT_MicrosoftGraphIntuneSettingsCatalogElevationRuleName[] | Elevation Rule Name | |
| Assignments | Write | MSFT_DeviceManagementConfigurationPolicyAssignments[] | Represents the assignment to the Intune policy. | |
| Ensure | Write | String | Present ensures the policy exists, absent ensures it is removed. | Present, Absent |
| Credential | Write | PSCredential | Credentials of the Admin | |
| ApplicationId | Write | String | Id of the Azure Active Directory application to authenticate with. | |
| TenantId | Write | String | Id of the Azure Active Directory tenant used for authentication. | |
| ApplicationSecret | Write | PSCredential | Secret of the Azure Active Directory tenant used for authentication. | |
| CertificateThumbprint | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | |
| ManagedIdentity | Write | Boolean | Managed ID being used for authentication. | |
| AccessTokens | Write | StringArray[] | Access token used for authentication. |
MSFT_DeviceManagementConfigurationPolicyAssignments¶
Parameters¶
| Parameter | Attribute | DataType | Description | Allowed Values |
|---|---|---|---|---|
| dataType | Write | String | The type of the target assignment. | #microsoft.graph.cloudPcManagementGroupAssignmentTarget, #microsoft.graph.groupAssignmentTarget, #microsoft.graph.allLicensedUsersAssignmentTarget, #microsoft.graph.allDevicesAssignmentTarget, #microsoft.graph.exclusionGroupAssignmentTarget, #microsoft.graph.configurationManagerCollectionAssignmentTarget |
| deviceAndAppManagementAssignmentFilterType | Write | String | The type of filter of the target assignment i.e. Exclude or Include. Possible values are:none, include, exclude. | none, include, exclude |
| deviceAndAppManagementAssignmentFilterId | Write | String | The Id of the filter for the target assignment. | |
| deviceAndAppManagementAssignmentFilterDisplayName | Write | String | The display name of the filter for the target assignment. | |
| groupId | Write | String | The group Id that is the target of the assignment. | |
| groupDisplayName | Write | String | The group Display Name that is the target of the assignment. | |
| collectionId | Write | String | The collection Id that is the target of the assignment.(ConfigMgr) |
MSFT_MicrosoftGraphIntuneSettingsCatalogElevationRuleName¶
Parameters¶
| Parameter | Attribute | DataType | Description | Allowed Values |
|---|---|---|---|---|
| ChildProcessBehavior | Write | String | Child process behavior (allowrunelevated: AllowRunElevated, allowrunelevatedrulerequired: AllowRunElevatedRuleRequired, deny: Deny) | allowrunelevated, allowrunelevatedrulerequired, deny |
| FileName | Required | String | File name | |
| Name | Required | String | Rule name | |
| FilePath | Write | String | File path | |
| ProductName | Write | String | Product name | |
| AppliesTo | Write | String | Applies to (allusers: Allusers) | allusers |
| Description | Write | String | Description | |
| FileVersion | Write | String | Minimum version | |
| InternalName | Write | String | Internal name | |
| FileHash | Write | String | File hash. Required, if no certificate is used. | |
| FileDescription | Write | String | File description | |
| SignatureSource | Write | SInt32 | Signature source (0: ReusableCertificate, 1: NewCertificate) | 0, 1 |
| CertificateType | Write | String | Certificate type (publisher: Publisher, issuingauthority: IssuingAuthority) | publisher, issuingauthority |
| CertificatePayloadWithReusableSetting | Write | String | Certificate | |
| CertificateFileUpload | Write | String | File upload | |
| Elevationtype | Required | String | Elevation type (self: Userconfirmed, automatic: Automatic, deny: Deny, supportarbitrated: Supportapproved, userconfirmeduser: UserConfirmedUser) | self, automatic, deny, supportarbitrated, userconfirmeduser |
| UserConfirmedUserElevationTypeValidation | Write | SInt32Array[] | User Confirmed User Validation (2: Windows Authentication) | 2 |
| ElevationTypeValidation | Write | SInt32Array[] | Validation (1: Business Justification, 2: Windows Authentication) | 1, 2 |
| RestrictArguments | Write | String | Restrict Arguments (allow: Allow) | allow |
| ArgumentList | Write | StringArray[] | Argument List |
Description¶
Intune Epm Elevation Rules Policy for Windows10
Permissions¶
Microsoft Graph¶
To authenticate with the Microsoft Graph API, this resource required the following permissions:
Delegated permissions¶
-
Read
- DeviceManagementConfiguration.Read.All, Group.Read.All
-
Update
- DeviceManagementConfiguration.ReadWrite.All, Group.Read.All
Application permissions¶
-
Read
- DeviceManagementConfiguration.Read.All, Group.Read.All
-
Update
- DeviceManagementConfiguration.ReadWrite.All, Group.Read.All
Examples¶
Example 1¶
This example creates a new Intune Firewall Policy for Windows10.
Configuration Example
{
param(
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.String]
$CertificateThumbprint
)
Import-DscResource -ModuleName Microsoft365DSC
node localhost
{
IntuneEpmElevationRulesPolicyWindows10 'Example'
{
Assignments = @(
MSFT_DeviceManagementConfigurationPolicyAssignments{
deviceAndAppManagementAssignmentFilterType = 'none'
dataType = '#microsoft.graph.groupAssignmentTarget'
groupId = '11111111-1111-1111-1111-111111111111'
}
);
Description = 'Description'
DisplayName = "IntuneEpmElevationRulesPolicyWindows10_1";
ElevationRuleName = @(
MSFT_MicrosoftGraphIntuneSettingsCatalogElevationRuleName{
ChildProcessBehavior = "allowrunelevated"
FilePath = "C:\temp"
FileVersion = "1.1.1.1"
CertificateType = "publisher"
FileDescription = "File Description"
Elevationtype = "self"
FileName = "file.exe"
ElevationTypeValidation = @(
1
2
)
Name = "Rule name"
RestrictArguments = "allow"
Description = "Description"
CertificatePayloadWithReusableSetting = "IntuneEpmCertificatePolicySetting_1"
AppliesTo = "allusers"
ProductName = "Product name"
InternalName = "Internal name"
SignatureSource = 0
}
MSFT_MicrosoftGraphIntuneSettingsCatalogElevationRuleName{
ChildProcessBehavior = "allowrunelevatedrulerequired"
CertificateType = "issuingauthority"
Elevationtype = "automatic"
FileName = "file2.exe"
Name = "Rule 2"
CertificatePayloadWithReusableSetting = "IntuneEpmCertificatePolicySetting_1"
AppliesTo = "allusers"
SignatureSource = 0
}
);
Ensure = "Present";
Id = '00000000-0000-0000-0000-000000000000'
RoleScopeTagIds = @("0");
ApplicationId = $ApplicationId;
TenantId = $TenantId;
CertificateThumbprint = $CertificateThumbprint;
}
}
}
Example 2¶
This example updates a Intune Firewall Policy for Windows10.
Configuration Example
{
param(
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.String]
$CertificateThumbprint
)
Import-DscResource -ModuleName Microsoft365DSC
node localhost
{
IntuneEpmElevationRulesPolicyWindows10 'Example'
{
Assignments = @(
MSFT_DeviceManagementConfigurationPolicyAssignments{
deviceAndAppManagementAssignmentFilterType = 'none'
dataType = '#microsoft.graph.groupAssignmentTarget'
groupId = '11111111-1111-1111-1111-111111111111'
}
);
Description = 'Description'
DisplayName = "IntuneEpmElevationRulesPolicyWindows10_1";
ElevationRuleName = @(
MSFT_MicrosoftGraphIntuneSettingsCatalogElevationRuleName{
ChildProcessBehavior = "allowrunelevated"
FilePath = "C:\temp"
FileVersion = "1.1.1.1"
CertificateType = "publisher"
FileDescription = "File Description"
Elevationtype = "self"
FileName = "file.exe"
ElevationTypeValidation = @(
1
2
)
Name = "Rule name"
RestrictArguments = "allow"
Description = "Description"
CertificatePayloadWithReusableSetting = "IntuneEpmCertificatePolicySetting_1"
AppliesTo = "allusers"
ProductName = "Product name"
InternalName = "Internal name"
SignatureSource = 0
}
MSFT_MicrosoftGraphIntuneSettingsCatalogElevationRuleName{
ChildProcessBehavior = "allowrunelevatedrulerequired"
CertificateType = "issuingauthority"
Elevationtype = "automatic"
FileName = "file.exe" # Updated property
Name = "Rule 2"
CertificatePayloadWithReusableSetting = "IntuneEpmCertificatePolicySetting_1"
AppliesTo = "allusers"
SignatureSource = 0
}
);
Ensure = "Present";
Id = '00000000-0000-0000-0000-000000000000'
RoleScopeTagIds = @("0");
ApplicationId = $ApplicationId;
TenantId = $TenantId;
CertificateThumbprint = $CertificateThumbprint;
}
}
}
Example 3¶
This example removes a Device Control Policy.
Configuration Example
{
param(
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.String]
$CertificateThumbprint
)
Import-DscResource -ModuleName Microsoft365DSC
node localhost
{
IntuneEpmElevationRulesPolicyWindows10 'Example'
{
DisplayName = "IntuneEpmElevationRulesPolicyWindows10_1";
Ensure = "Absent";
Id = '00000000-0000-0000-0000-000000000000'
ApplicationId = $ApplicationId;
TenantId = $TenantId;
CertificateThumbprint = $CertificateThumbprint;
}
}
}